Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Flow Direction

The Flow Processor process analyzes each flow to determine the direction of the network communication.

In some cases, the flow traffic is bidirectional where the client communicates with the server and the server responds to the client. In this scenario, both the client and the server operate as though they are the source and the other is the destination. To address this,JSA sets the flow direction to ensure that the source and destination devices are reported consistently throughout the entire communication session. The flow data is normalized and all flows follow the same convention, where Destination always refers to the server, and Source always refers to the client.

To determine the flow direction, JSA analyzes the flow to determine whether the source and destination ports match the list of common destination ports that are defined in the appid_map.conf file. The flow direction is reversed when the following criteria is matched:

  • If the destination port does not match the list of common destination ports, reverse the flow direction if either of the following conditions are true:

    • The source port is a common destination port.

    • The source port is less than 1024 and the destination port is greater than 1024.

  • If the destination port does match the list of common destination ports, reverse the flow direction if both of the following conditions are true:

    • The source port is a common destination port.

    • The source port is less than 1024 and the destination port is greater than 1024.

If the flow does not match any of the flow direction criteria, JSA uses the flow arrival time to determine the flow direction.

Tip:

If you do not want JSA to determine the flow direction, set the Use Common Destination Port field to No when you configure the Flow Processor. For more information, see Configuring a Flow Processor.

Example: Flow Direction Reversed by JSA

In this flow, the source port is 80, which is a common destination port. The destination port is higher than 1024 which, according to RFC1700, excludes it as a common destination port. In this case, JSA flipped the flow direction.

On the Flow Information window, you can see the flow direction algorithm that was used to set the direction.

Flow Direction Algorithms

Flow direction algorithms are used to detect which side of the communication is more likely to be the destination device, and reverses the flow direction as required. The algorithms provide information on how the traffic originally appeared on the network, and which features of the traffic caused it to be reversed.

The following table displays the values that are used in the flow direction algorithm.

Numeric value

Algorithm

Description

1

Single common destination port (reversed)

Either the source port or the destination port was found in the list of common destination ports, and JSA reversed the flow direction.

2

Both common destination ports but one was RFC 1700 preferred (reversed)

Both the source port and the destination port are defined as common destination ports. According to RFC1700, the source port is a preferred destination port, so JSA reversed the flow direction.

The RFC1700 preferred ports are in the range of 0 to 1023, which are controlled and assigned by the Internet Assigned Number Authority (IANA).

3

Arrival time

The flow does not match the criteria for any other flow direction algorithm. JSA used the flow arrival time to determine the flow direction.

The Flow Processor process assumes that the request was received before the response, and the flow direction remains as it was received.

4

Flow exporter

The flow direction is set by an external flow exporter, such as a Packeteer device.

5

Single common destination port (unaltered)

Either the source port or the destination port was found in the list of common destination ports. JSA did not alter the flow direction.

6

Both common destination ports but one was RFC 1700 preferred (unaltered)

Both the source port and the destination port are defined as common destination ports. According to RFC1700, the destination port is a preferred destination port, so JSA did not alter the flow direction.

Displaying the Flow Direction Algorithm Field in Search Results

Use the search feature to add the flow direction algorithm to the Flow Details window. You can use the flow direction algorithm to identify the criteria that caused JSA to reverse the flow direction.

  1. Click the Network Activity tab.

  2. From the Search list, select New Search.

  3. In the Column Definition section, scroll down the list of available columns and add Flow Direction Algorithm to the list of columns to display.

  4. Click Filter.

    The Flow Direction Algorithm column appears on the Network Activity tab, displaying a value that represents the algorithm that was used.

  5. Pause the event streaming and click a flow to investigate further in the Flow Details window.

The Flow Direction Algorithm now appears in the Flow Details window for all flows.